After Mozilla inquiry, Apple untrusts Chinese certificate authority

Following a Mozilla-led investigation that found multiple problems in the SSL certificate issuance process of WoSign, a China-based certificate authority, Apple will make modifications to the iOS and macOS to block future certificates issued by the company.

Although there is no WoSign root certificate in Apple's trusted certificate store, a WoSign intermediate CA certificate is cross-signed by two other CAs that Apple trusts: StartCom and Comodo. This means that until now Apple products have automatically trusted certificates issued through the WoSign intermediate CA.

Because WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA, "we are taking action to protect users in an upcoming security update," Apple said in support notes for both iOSand macOS. "Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA."

The ban is only for future certificates issued by WoSign and not for those that have already been issued and published to public Certificate Transparency (CT) log servers by Sept. 19. Those existing certificates will continue to be trusted until they expire, are revoked, or Apple decides to ban them at a later date.

This is similar to the decision that Mozilla's CA team is considering after discovering multiple problems at WoSign, including mis-issuing of certificates and a strong suspicion, backed by evidence, that the CA issued SHA-1-signed certificates after Jan. 1 and then back-dated them in violation of industry rules.

"Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," the Mozilla team said in a detailed analysis of the incidents. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands."

The inclusion of StartCom, an Israel-based CA, in this decision is due to the fact that WoSign silently acquired StartCom in November 2015. Although WoSign said in September that the two companies are operated and managed independently, there is evidence that StartCom has been using WoSign's certificate-issuing infrastructure and processes.

In its own analysis and response, WoSign claims that only 8 SHA-1 certificates have been incorrectly issued after the SHA-1 cutoff date of Jan. 1, 2016, and that those incidents were the result of a bug in its system and API.

"WoSign remains committed to continually evolve our technology, processes, and offerings to help keep our customers and the Internet safe," said in its final report after the investigation. "We believe that the steps we have taken will ensure that this type of incident never happens again, and we believe that full support for CT is our commitment of supervision."

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.